LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-19-2006, 03:13 AM   #1
saravkrish
Member
 
Registered: Mar 2004
Location: KY, USA
Distribution: Fedora Core 1
Posts: 190

Rep: Reputation: 30
How to run wine securely? Or in a sandbox.


Hi,

I use Fedora and I installed wine using yum. I remember reading somewhere that one should run wine as user "nobody" so that insecure programs (say, IE) don't open up one's Linux box for attacks.

How do I run wine securely so that even if I run an insecure program under wine, it won't be able to access any of my user files? I want to login as sarav and still be able to run wine and not let it access my files. How do I do this?

Thanks in advance.

-Sarav
 
Old 11-19-2006, 07:51 AM   #2
Indiestory
Member
 
Registered: Aug 2006
Location: Aberdeen, Scotland
Distribution: OpenBSD
Posts: 164
Blog Entries: 1

Rep: Reputation: 30
You could create a user locked in there home directory, and only give them permission to use WINE , effectivly stopping WINE from editing files the user doesnt own and stopping anyone else from using it
 
Old 11-19-2006, 05:43 PM   #3
saravkrish
Member
 
Registered: Mar 2004
Location: KY, USA
Distribution: Fedora Core 1
Posts: 190

Original Poster
Rep: Reputation: 30
But how do I run win32 apps logged in as a different user? Also, how do I make sure that all files created by the user automatically have group write permissions?

Btw, I'm currently using wine under my user and wanted to prevent access to root dirs. So I removed the root dir using winecfg. But when I do "File->Open" in any win32 app, I still see the root dir under "My Desktop". How do I remove that?

Thanks,
Sarav
 
Old 11-19-2006, 06:42 PM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
Remember that Wine is a user-mode program; it runs as "you," in your own session. It does not have a separate daemon component .. no, "wineserver" is not a daemon.

If you want to ensure that an IE session, say, cannot do anything malicious, then the problem is exactly the same as how one would address the problem if neither IE nor Wine were involved. It would be the same as you would face if, say, you were guarding against a malicious Java applet running on your own favorite Linux browser.

You would do this by setting up a separate user account, connecting to it, and doing your work in that account. XWindows and XOrg can both allow you to start new graphical sessions on the same terminal, and you switch between them with a Shift+Ctrl+Fn sequence.

You can also use the command-line su username command, or even sudo, to execute a particular command as someone else. You might find that capability built-in to your favorite graphical shell, akin to Microsoft Windows' "run as user" facility.

A process that is launched as a particular user is strictly limited to the capabilities assigned to that user. If you wish to make your own files "strictly off limits" to some process that you ("the person") have initiated .. this is how to do it. It applies equally to Windows and Linux.
 
Old 11-19-2006, 09:40 PM   #5
jlo_sandog
Member
 
Registered: Jul 2005
Location: USA
Distribution: F10 (x86_64)
Posts: 549

Rep: Reputation: 31
I actually don't think that by running IE under wine you will have any issies with security. In a sense it runs in its own sandbox, and if it were to get infected, which I doubt, all you would have to do is delete the .wine profile. Next time you start wine it would generate a new one.
 
Old 11-19-2006, 10:52 PM   #6
saravkrish
Member
 
Registered: Mar 2004
Location: KY, USA
Distribution: Fedora Core 1
Posts: 190

Original Poster
Rep: Reputation: 30
I guess sudo is the way to go.

sundialsvcs, I agree/knew that risks due to IE is similar to risk due to anyother untrusted linux app. But the problem is that more people try to attack IE rather than some random Linux app.

Also, I don't consider that IE is as secure and well written as other linux apps (might be wrong here).

So my question is still well placed, but so is your solution. Have to dig into sudoing as another user. I know only to sudo as root not as another user.

jlo_sandog, No. IE doesn't run in a sandbox. IE runs natively (hence Wine Is Not an Emulator). So once a buffer flow in IE is used to inject code, all a blackhat needs to do it inject linux specific code instead of windows specific code and your linux user account goes boom.

Thanks,
Sarav
 
Old 11-21-2006, 03:45 AM   #7
jlo_sandog
Member
 
Registered: Jul 2005
Location: USA
Distribution: F10 (x86_64)
Posts: 549

Rep: Reputation: 31
yes, but that's my point what's the chance someone will write linux specific code to infect a computer when someone uses IE?
 
Old 11-21-2006, 11:35 PM   #8
saravkrish
Member
 
Registered: Mar 2004
Location: KY, USA
Distribution: Fedora Core 1
Posts: 190

Original Poster
Rep: Reputation: 30
jlo_sandog,

That's not what you claimed in your previous post. According to your previous post (quote: "and if it were to get infected, which I doubt, all you would have to do is delete the .wine profile"), IE infection can never affect any linux user files that are not made available through drive mapping in winecfg.

Also, just because we don't expect someone to attack Linux through IE+Wine doesn't mean the problem doesn't exist.

Anyway, lets not deviate from the main topic of this thread. Btw, I think sundialsvcs answered my question.

Thanks,
Sarav
 
  


Reply

Tags
wine


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Which distro for our 'sandbox' machine? r2t2 Linux - Distributions 4 01-18-2006 11:41 AM
SandBox / emulator Software q.sa Linux - Software 2 08-20-2005 01:18 PM
Trying to run photoshop in wine. Install, but wont run. bruno buys Linux - Software 14 07-15-2004 05:30 PM
How to run Java programs in a sandbox fpmc Programming 0 07-07-2004 04:57 AM
sandbox lockout... jwhiz Linux - Newbie 2 10-02-2002 05:04 PM


All times are GMT -5. The time now is 11:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration